Vault 7 lessons on insider threats

By Sean D. Carberry

Mar 13, 2017

As officials investigate the WikiLeaks "Vault 7" release of alleged CIA hacking and surveillance program information, they are looking for a former government hacker or contractor who might have provided the trove of documents.

The incident illustrates the damage such an insider can do. According to one former intelligence official, insider threats are still the biggest cybersecurity danger to both the government and the private sector.

Ever since Chelsea Manning provided hundreds of thousands of classified and sensitive documents to WikiLeaks in 2010, the government has not done enough to minimize the insider threat, said Curt Dukes, former head of the National Security Agency's former Information Assurance Directorate.

Dukes, currently executive vice president at the Center for Internet Security, told GCN's sister site FCW that there are concrete steps that government can take to reduce insider threats.

"One area where there ought to be more effort is digital watermarking," he said. According to Dukes, the technology imprints digital documents with watermark code that shows who accessed them and when, which would allow officials to track the documents and ultimately discourage leaks.

Dukes also said agencies can better empower the workforce to report suspicious behavior by coworkers.

In addition, organizations can do a better job of configuring network access to ensure that users only have access to what they are required to and that other data is out of reach, he said.

"Anytime there's a security incident, the good news is the private sector will rush in with solutions," he said, in reference to behavior-based detection systems that can monitor users for atypical activity on a network.

Technology is maturing, he said, and "behavior-based detection is step in the right direction," but it's not a panacea. "What you may find is that you end up with false positives," which then have to be investigated, and there is a potential for security staff to get numb to those alerts.

Better cyber hygiene, especially concerning "internet of things" devices, is also critical. Many of the surveillance tools and tactics in the Vault 7 release -- methods of infecting phones and TVs to turn them into monitoring devices -- have been around for years, and hackers and other nation states have long had such capabilities, Dukes said.

"From basic telephones on the desk to [voice over internet protocol phones] to mobile phones … we've always seen this as a threat vector," he said, adding that the WikiLeaks release "is another wake up call for the IT sector," to ensure it is building better security into modern devices.

That's all the more reason, he argued, that IT staffs must practice better cyber hygiene -- patching and updating systems and software in particular -- especially as they acquire more and more connected devices.

"If you're not at the most current patch level, then you're just inviting people to exploit you," he said. "To me this is the new normal that we all have to work through."

"If nothing else, based off of this most recent revelation, the new administration should look at how effective our insider-threat policy is and whether it needs revision in the wake of this incident," he said.

A version of this article first appeared on FCW, a sister site to GCN.

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.